SlideShare ist ein Scribd-Unternehmen logo

Jar signing

Als PPTX, PDF herunterladen
L
LearningTech
Technologie
1 von 21
Java jar signer Jason
Java Security Manager 為何有 Secuirty Manager 機制 ?  Browser 把 class(jar) download 下來後,再啟動 java 去執行 download 下來的程式碼來執行是很危險的事。
Java Security Manager Java Applet 在執行時有兩種模式  有啟動 Secuirty Manager  沒有啟動 Secuirty Manager
Java Security Manager Jar Signing  Jar 檔被 sign 過,就會 Secuirty Manager 告知是否執行該 jar 檔。  Jar 檔若沒被 sign 過,就會被 Secuirty Manager 警告。 目的: Jar 檔 被 sign 過表示確定是個有名有姓的人產生的 Jar 檔,而且做出來後沒有被別人篡改過。
Jar signing 如何對 Jar (Applet) 檔進行 signing ?  OpenSSL : 是套開放原始碼的SSL套件  Keytool : Install JRE  Jarsigner : Install JDK
Java keytool Keytool is the key (key) and certificates (certificates) in the presence of a file called keystore  keystore  Key entity  Trusted certificate entries
Java keytool Keytool Command  -keystore The file named .keystore in the user's home directory  -alias Create alias. Defalut : "mykey"  -genkey Creating or Adding Data to the Keystore  -keyalg key algorithm name. Defalut : "DSA"  -keysize key bit size. Defalut : 1024  -certreq Generate the Certificate Signing Request (CSR)  -import Imports a certificate or a certificate chain  -list Lists entries in a keystore  -v verbose output
Jar signing - Step1 Creating a Sample CA Certificate  openssl req -config c:opensslbinopenssl.cnf -new -x509 -keyout ca-key.pem -out ca-certificate.pem -days 365 Using properties from c:opensslbinopenssl.cnf Loading ’screen’ into random state: done Generating a 1024 bit RSA private key .................++++++ .....................++++++ writing new private key to ’ca-key.pem.txt’ Enter PEM pass phrase: Verifying password: Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ’.’, the field will be left blank. ----- Country Name (2 letter code) []:US State or Province Name (full name) []:California Locality Name (eg, city) []:Monrovia Organization Name (eg, company) []:Sun Organizational Unit Name (eg, section) []:Development Common Name (eg, your websites domain name) [] :development.sun.com Email Address []:development@sun.com
Jar signing - Step2 Create java keystore  keytool –keystore clientkeystore –genkey –alias client Enter keystore password: What is your first and last name? [Unknown]: Jason What is the name of your organizational unit? [Unknown]: Jason What is the name of your organization? [Unknown]: Jason What is the name of your City or Locality? [Unknown]: Jason What is the name of your State or Province? [Unknown]: Jason What is the two-letter country code for this unit? [Unknown]: US Is <CN=development.sun.com, OU=Development, O=Sun, L=Monrovia, ST=California, C=US> correct? [no]: yes Enter key password for <client> (RETURN if same as keystore password):
Jar signing Keystore verbose output  keytool -list -v -keystore clientkeystore Keystore type: JKS Keystore provider: SUN Your keystore contains 1 entry Alias name: client Creation date: 2014/3/7 Entry type: PrivateKeyEntry Certificate chain length: 1 Certificate[1]: Owner: CN=Jason, OU=Jason, O=Jason, L=Jason, ST=Jason, C=US Issuer: CN=Jason, OU=Jason, O=Jason, L=Jason, ST=Jason, C=US Serial number: 3277605 Valid from: Fri Mar 07 02:21:08 CST 2014 until: Thu Jun 05 02:21:08 CST 2014
Jar signing - Step3 Generate the Certificate Signing Request  keytool –keystore clientkeystore –certreq –alias client –keyalg rsa –file client.csr -----BEGIN NEW CERTIFICATE REQUEST----- MIICkjCCAlACAQAwXTELMAkGA1UEBhMCVVMxDjAMBgNVBAgTBUphc29uMQ4wDAYDVQQHEwVKYXNv bjEOMAwGA1UEChMFSmFzb24xDjAMBgNVBAsTBUphc29uMQ4wDAYDVQQDEwVKYXNvbjCCAbgwggEs BgcqhkjOOAQBMIIBHwKBgQD9f1OBHXUSKVLfSpwu7OTn9hG3UjzvRADDHj+AtlEmaUVdQCJR+1k9 jVj6v8X1ujD2y5tVbNeBO4AdNG/yZmC3a5lQpaSfn+gEexAiwk+7qdf+t8Yb+DtX58aophUPBPuD 9tPFHsMCNVQTWhaRMvZ1864rYdcq7/IiAxmd0UgBxwIVAJdgUI8VIwvMspK5gqLrhAvwWBz1AoGB APfhoIXWmz3ey7yrXDa4V7l5lK+7+jrqgvlXTAs9B4JnUVlXjrrUWU/mcQcQgYC0SRZxI+hMKBYT t88JMozIpuE8FnqLVHyNKOCjrh4rs6Z1kW6jfwv6ITVi8ftiegEkO8yk8b6oUZCJqIPf4VrlnwaS i2ZegHtVJWQBTDv+z0kqA4GFAAKBgQDUBuLc31+1uV7iu+WyFy6kmDsTwawhqhC18g2wu90oTmEo S7zDqL1WgeK55DKcDLxv1xGZuD1StwngUSjwBMsLFWPYi8aZ3AeUWVrA142iULDeSox7AtaI1Q2N 2m3LmmNfJxNt7clRhovxruIBwVsW+iSfk2+BsdKHIEYLrXIiGKAwMC4GCSqGSIb3DQEJDjEhMB8w HQYDVR0OBBYEFKvw3eE6Hw5fMgo70jvKcxRo4AHaMAsGByqGSM44BAMFAAMvADAsAhR2gLVksdXf YoE4WLBFm5ydJdtvcwIUaN5L0iUgRXBIPxDGjwHDEHDB0C4= -----END NEW CERTIFICATE REQUEST-----
Jar signing - Step4 Generate a signed certificate for the associated Certificate Signing Request.  openssl x509 -req -CA ca-certificate.pem -CAkey ca-key.pem.txt -in client.csr -out client.cer -days 365 -CAcreateserial
Jar signing - Step5 Use the keytool to import the CA certificate into the client keystore  keytool -import -keystore clientkeystore -file ca-certificate.pem -alias theCARoot
Jar signing Keystore verbose output Alias name: thecaroot Creation date: 2014/3/7 Entry type: trustedCertEntry Owner: EMAILADDRESS=development@sum.com, CN=development.sum.com, OU=Development, O=Sun, L=Monrovia, ST=California, C=US Issuer: EMAILADDRESS=development@sum.com, CN=development.sum.com, OU=Development, O=Sun, L=Monrovia, ST=California, C=US Serial number: cd1836b5bb6f8295 Valid from: Thu Feb 20 18:39:57 CST 2014 until: Fri Feb 20 18:39:57 CST 2015
Jar signing - Step6 Use the keytool to import the signed certificate for the associated client alias in the keystore.  keytool –import –keystore clientkeystore –file client.cer –alias client
Jar signing Keystore verbose output Keystore type: JKS Keystore provider: SUN Your keystore contains 2 entries Alias name: client Creation date: 2014/3/7 Entry type: PrivateKeyEntry Certificate chain length: 2 Certificate[1]: Owner: CN=Jason, OU=Jason, O=Jason, L=Jason, ST=Jason, C=US Issuer: EMAILADDRESS=development@sum.com, CN=development.sum.com, OU=Development, O=Sun, L=Monrovia, ST=California, C=US Serial number: 86848dcdcc6a2971 Valid from: Fri Mar 07 02:36:08 CST 2014 until: Sat Mar 07 02:36:08 CST 2015 Certificate[2]: Owner: EMAILADDRESS=development@sum.com, CN=development.sum.com, OU=Development, O=Sun, L=Monrovia, ST=California, C=US Issuer: EMAILADDRESS=development@sum.com, CN=development.sum.com, OU=Development , O=Sun, L=Monrovia, ST=California, C=US Serial number: cd1836b5bb6f8295
Jar signing - Step7 Generates signatures for Java ARchive (JAR) files  jarsigner -keystore clientkeystore SignedApplet.jar client
Jar signing Verifying a Signed JAR File  jarsigner -verify -verbose SignedApplet.jar s 169 Fri Mar 07 13:59:24 CST 2014 META-INF/MANIFEST.MF 320 Fri Mar 07 13:59:24 CST 2014 META-INF/CLIENT.SF 1997 Fri Mar 07 13:59:24 CST 2014 META-INF/CLIENT.DSA 0 Mon Feb 21 19:29:40 CST 2011 META-INF/ sm 2206 Mon Feb 21 19:29:36 CST 2011 SignedApplet.class s = signature was verified m = entry is listed in manifest k = at least one certificate was found in keystore i = at least one certificate was found in identity scope jar verified.
Jar signing - Step8 Go to「Java Control Panel」→「Security Tab 」→ 「Manage Certificates」 Import ca-certificate.pem file
Certificate detail
Reference Java SE Decumentation http://docs.oracle.com/javase/7/docs/technotes/tools/solaris/keytool.html Configuring Java CAPS for SSL Support http://docs.oracle.com/cd/E19509-01/820-3503/cnfg_ssl-ldap-https_t/index.html

Empfohlen

JBoss Negotiation in AS7
JBoss Negotiation in AS7JBoss Negotiation in AS7
JBoss Negotiation in AS7Josef Cacek
 
Java Secure Coding Practices
Java Secure Coding PracticesJava Secure Coding Practices
Java Secure Coding PracticesOWASPKerala
 
Java Security Manager Reloaded - jOpenSpace Lightning Talk
Java Security Manager Reloaded - jOpenSpace Lightning TalkJava Security Manager Reloaded - jOpenSpace Lightning Talk
Java Security Manager Reloaded - jOpenSpace Lightning TalkJosef Cacek
 
Security Architecture of the Java Platform (http://www.javaday.bg event - 14....
Security Architecture of the Java Platform (http://www.javaday.bg event - 14....Security Architecture of the Java Platform (http://www.javaday.bg event - 14....
Security Architecture of the Java Platform (http://www.javaday.bg event - 14....Martin Toshev
 
Java security
Java securityJava security
Java securityAnkush Kumar
 
Security Architecture of the Java platform
Security Architecture of the Java platformSecurity Architecture of the Java platform
Security Architecture of the Java platformMartin Toshev
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Codingbilcorry
 
CIS14: Best Practices You Must Apply to Secure Your APIs
CIS14: Best Practices You Must Apply to Secure Your APIsCIS14: Best Practices You Must Apply to Secure Your APIs
CIS14: Best Practices You Must Apply to Secure Your APIsCloudIDSummit
 

Empfohlen

JBoss Negotiation in AS7
JBoss Negotiation in AS7JBoss Negotiation in AS7
JBoss Negotiation in AS7Josef Cacek
 
Java Secure Coding Practices
Java Secure Coding PracticesJava Secure Coding Practices
Java Secure Coding PracticesOWASPKerala
 
Java Security Manager Reloaded - jOpenSpace Lightning Talk
Java Security Manager Reloaded - jOpenSpace Lightning TalkJava Security Manager Reloaded - jOpenSpace Lightning Talk
Java Security Manager Reloaded - jOpenSpace Lightning TalkJosef Cacek
 
Security Architecture of the Java Platform (http://www.javaday.bg event - 14....
Security Architecture of the Java Platform (http://www.javaday.bg event - 14....Security Architecture of the Java Platform (http://www.javaday.bg event - 14....
Security Architecture of the Java Platform (http://www.javaday.bg event - 14....Martin Toshev
 
Java security
Java securityJava security
Java securityAnkush Kumar
 
Security Architecture of the Java platform
Security Architecture of the Java platformSecurity Architecture of the Java platform
Security Architecture of the Java platformMartin Toshev
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Codingbilcorry
 
CIS14: Best Practices You Must Apply to Secure Your APIs
CIS14: Best Practices You Must Apply to Secure Your APIsCIS14: Best Practices You Must Apply to Secure Your APIs
CIS14: Best Practices You Must Apply to Secure Your APIsCloudIDSummit
 
Identity theft: Developers are key - JFokus 2017
Identity theft: Developers are key - JFokus 2017Identity theft: Developers are key - JFokus 2017
Identity theft: Developers are key - JFokus 2017Brian Vermeer
 
Easy logins for JavaScript web applications
Easy logins for JavaScript web applicationsEasy logins for JavaScript web applications
Easy logins for JavaScript web applicationsFrancois Marier
 
Identity theft blue4it nljug
Identity theft blue4it nljugIdentity theft blue4it nljug
Identity theft blue4it nljugBrian Vermeer
 
It's a Dangerous World
It's a Dangerous World It's a Dangerous World
It's a Dangerous World MongoDB
 
iOS Provisioning : Running your app in an iOS device
iOS Provisioning : Running your app in an iOS deviceiOS Provisioning : Running your app in an iOS device
iOS Provisioning : Running your app in an iOS deviceMadusha Perera
 
1205 bhat pdf-ssl
1205 bhat pdf-ssl1205 bhat pdf-ssl
1205 bhat pdf-sslJamshoo Lakhani
 
Passwords suck, but centralized proprietary services are not the answer
Passwords suck, but centralized proprietary services are not the answerPasswords suck, but centralized proprietary services are not the answer
Passwords suck, but centralized proprietary services are not the answerFrancois Marier
 
Persona: in your browsers, killing your passwords
Persona: in your browsers, killing your passwordsPersona: in your browsers, killing your passwords
Persona: in your browsers, killing your passwordsFrancois Marier
 
The Web beyond "usernames & passwords" (OSDC12)
The Web beyond "usernames & passwords" (OSDC12)The Web beyond "usernames & passwords" (OSDC12)
The Web beyond "usernames & passwords" (OSDC12)Francois Marier
 
Identity theft: Developers are key - JavaZone17
Identity theft: Developers are key - JavaZone17Identity theft: Developers are key - JavaZone17
Identity theft: Developers are key - JavaZone17Brian Vermeer
 
Mobile Day - Fastlane
Mobile Day - FastlaneMobile Day - Fastlane
Mobile Day - FastlaneSoftware Guru
 
Identity theft jfall17
Identity theft jfall17Identity theft jfall17
Identity theft jfall17Brian Vermeer
 
Identity Theft : Developers are key
Identity Theft : Developers are keyIdentity Theft : Developers are key
Identity Theft : Developers are keyBrian Vermeer
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...MITRE ATT&CK
 
The Best Practices of Symantec Code Signing - RapidSSLonline
The Best Practices of Symantec Code Signing - RapidSSLonlineThe Best Practices of Symantec Code Signing - RapidSSLonline
The Best Practices of Symantec Code Signing - RapidSSLonlineRapidSSLOnline.com
 
OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...
OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...
OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...Andrejs Vorobjovs
 
Cross-Platform Authentication with Google+ Sign-In
Cross-Platform Authentication with Google+ Sign-InCross-Platform Authentication with Google+ Sign-In
Cross-Platform Authentication with Google+ Sign-InPeter Friese
 
Deployments with VS Code and Salesforce CLI
Deployments with VS Code and Salesforce CLIDeployments with VS Code and Salesforce CLI
Deployments with VS Code and Salesforce CLIishratbhatti1
 
Android Vulnerability: Fake ID
Android Vulnerability: Fake ID Android Vulnerability: Fake ID
Android Vulnerability: Fake ID Blueboxer2014
 
How we integrate & deploy Mobile Apps with Travis CI
How we integrate & deploy Mobile Apps with Travis CIHow we integrate & deploy Mobile Apps with Travis CI
How we integrate & deploy Mobile Apps with Travis CIMarcio Klepacz
 
vim
vimvim
vimLearningTech
 
PostCss
PostCssPostCss
PostCssLearningTech
 

Weitere ähnliche Inhalte

Ähnlich wie Jar signing

Identity theft: Developers are key - JFokus 2017
Identity theft: Developers are key - JFokus 2017Identity theft: Developers are key - JFokus 2017
Identity theft: Developers are key - JFokus 2017Brian Vermeer
 
Easy logins for JavaScript web applications
Easy logins for JavaScript web applicationsEasy logins for JavaScript web applications
Easy logins for JavaScript web applicationsFrancois Marier
 
Identity theft blue4it nljug
Identity theft blue4it nljugIdentity theft blue4it nljug
Identity theft blue4it nljugBrian Vermeer
 
It's a Dangerous World
It's a Dangerous World It's a Dangerous World
It's a Dangerous World MongoDB
 
iOS Provisioning : Running your app in an iOS device
iOS Provisioning : Running your app in an iOS deviceiOS Provisioning : Running your app in an iOS device
iOS Provisioning : Running your app in an iOS deviceMadusha Perera
 
Passwords suck, but centralized proprietary services are not the answer
Passwords suck, but centralized proprietary services are not the answerPasswords suck, but centralized proprietary services are not the answer
Passwords suck, but centralized proprietary services are not the answerFrancois Marier
 
Persona: in your browsers, killing your passwords
Persona: in your browsers, killing your passwordsPersona: in your browsers, killing your passwords
Persona: in your browsers, killing your passwordsFrancois Marier
 
The Web beyond "usernames & passwords" (OSDC12)
The Web beyond "usernames & passwords" (OSDC12)The Web beyond "usernames & passwords" (OSDC12)
The Web beyond "usernames & passwords" (OSDC12)Francois Marier
 
Identity theft: Developers are key - JavaZone17
Identity theft: Developers are key - JavaZone17Identity theft: Developers are key - JavaZone17
Identity theft: Developers are key - JavaZone17Brian Vermeer
 
Mobile Day - Fastlane
Mobile Day - FastlaneMobile Day - Fastlane
Mobile Day - FastlaneSoftware Guru
 
Identity theft jfall17
Identity theft jfall17Identity theft jfall17
Identity theft jfall17Brian Vermeer
 
Identity Theft : Developers are key
Identity Theft : Developers are keyIdentity Theft : Developers are key
Identity Theft : Developers are keyBrian Vermeer
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...MITRE ATT&CK
 
The Best Practices of Symantec Code Signing - RapidSSLonline
The Best Practices of Symantec Code Signing - RapidSSLonlineThe Best Practices of Symantec Code Signing - RapidSSLonline
The Best Practices of Symantec Code Signing - RapidSSLonlineRapidSSLOnline.com
 
OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...
OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...
OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...Andrejs Vorobjovs
 
Cross-Platform Authentication with Google+ Sign-In
Cross-Platform Authentication with Google+ Sign-InCross-Platform Authentication with Google+ Sign-In
Cross-Platform Authentication with Google+ Sign-InPeter Friese
 
Deployments with VS Code and Salesforce CLI
Deployments with VS Code and Salesforce CLIDeployments with VS Code and Salesforce CLI
Deployments with VS Code and Salesforce CLIishratbhatti1
 
Android Vulnerability: Fake ID
Android Vulnerability: Fake ID Android Vulnerability: Fake ID
Android Vulnerability: Fake ID Blueboxer2014
 
How we integrate & deploy Mobile Apps with Travis CI
How we integrate & deploy Mobile Apps with Travis CIHow we integrate & deploy Mobile Apps with Travis CI
How we integrate & deploy Mobile Apps with Travis CIMarcio Klepacz
 

Ähnlich wie Jar signing (20)

Identity theft: Developers are key - JFokus 2017
Identity theft: Developers are key - JFokus 2017Identity theft: Developers are key - JFokus 2017
Identity theft: Developers are key - JFokus 2017
 
Easy logins for JavaScript web applications
Easy logins for JavaScript web applicationsEasy logins for JavaScript web applications
Easy logins for JavaScript web applications
 
Identity theft blue4it nljug
Identity theft blue4it nljugIdentity theft blue4it nljug
Identity theft blue4it nljug
 
It's a Dangerous World
It's a Dangerous World It's a Dangerous World
It's a Dangerous World
 
iOS Provisioning : Running your app in an iOS device
iOS Provisioning : Running your app in an iOS deviceiOS Provisioning : Running your app in an iOS device
iOS Provisioning : Running your app in an iOS device
 
1205 bhat pdf-ssl
1205 bhat pdf-ssl1205 bhat pdf-ssl
1205 bhat pdf-ssl
 
Passwords suck, but centralized proprietary services are not the answer
Passwords suck, but centralized proprietary services are not the answerPasswords suck, but centralized proprietary services are not the answer
Passwords suck, but centralized proprietary services are not the answer
 
Persona: in your browsers, killing your passwords
Persona: in your browsers, killing your passwordsPersona: in your browsers, killing your passwords
Persona: in your browsers, killing your passwords
 
The Web beyond "usernames & passwords" (OSDC12)
The Web beyond "usernames & passwords" (OSDC12)The Web beyond "usernames & passwords" (OSDC12)
The Web beyond "usernames & passwords" (OSDC12)
 
Identity theft: Developers are key - JavaZone17
Identity theft: Developers are key - JavaZone17Identity theft: Developers are key - JavaZone17
Identity theft: Developers are key - JavaZone17
 
Mobile Day - Fastlane
Mobile Day - FastlaneMobile Day - Fastlane
Mobile Day - Fastlane
 
Identity theft jfall17
Identity theft jfall17Identity theft jfall17
Identity theft jfall17
 
Identity Theft : Developers are key
Identity Theft : Developers are keyIdentity Theft : Developers are key
Identity Theft : Developers are key
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
 
The Best Practices of Symantec Code Signing - RapidSSLonline
The Best Practices of Symantec Code Signing - RapidSSLonlineThe Best Practices of Symantec Code Signing - RapidSSLonline
The Best Practices of Symantec Code Signing - RapidSSLonline
 
OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...
OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...
OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...
 
Cross-Platform Authentication with Google+ Sign-In
Cross-Platform Authentication with Google+ Sign-InCross-Platform Authentication with Google+ Sign-In
Cross-Platform Authentication with Google+ Sign-In
 
Deployments with VS Code and Salesforce CLI
Deployments with VS Code and Salesforce CLIDeployments with VS Code and Salesforce CLI
Deployments with VS Code and Salesforce CLI
 
Android Vulnerability: Fake ID
Android Vulnerability: Fake ID Android Vulnerability: Fake ID
Android Vulnerability: Fake ID
 
How we integrate & deploy Mobile Apps with Travis CI
How we integrate & deploy Mobile Apps with Travis CIHow we integrate & deploy Mobile Apps with Travis CI
How we integrate & deploy Mobile Apps with Travis CI
 

Mehr von LearningTech

Process control nodejs
Process control nodejsProcess control nodejs
Process control nodejsLearningTech
 
Vic weekly learning_20160504
Vic weekly learning_20160504Vic weekly learning_20160504
Vic weekly learning_20160504LearningTech
 
Reflection &amp; activator
Reflection &amp; activatorReflection &amp; activator
Reflection &amp; activatorLearningTech
 
Node child process
Node child processNode child process
Node child processLearningTech
 
Peggy elasticsearch應用
Peggy elasticsearch應用Peggy elasticsearch應用
Peggy elasticsearch應用LearningTech
 
Vic weekly learning_20160325
Vic weekly learning_20160325Vic weekly learning_20160325
Vic weekly learning_20160325LearningTech
 
D3js learning tips
D3js learning tipsD3js learning tips
D3js learning tipsLearningTech
 

Mehr von LearningTech (20)

vim
vimvim
vim
 
PostCss
PostCssPostCss
PostCss
 
ReactJs
ReactJsReactJs
ReactJs
 
Docker
DockerDocker
Docker
 
Semantic ui
Semantic uiSemantic ui
Semantic ui
 
node.js errors
node.js errorsnode.js errors
node.js errors
 
Process control nodejs
Process control nodejsProcess control nodejs
Process control nodejs
 
Expression tree
Expression treeExpression tree
Expression tree
 
SQL 效能調校
SQL 效能調校SQL 效能調校
SQL 效能調校
 
flexbox report
flexbox reportflexbox report
flexbox report
 
Vic weekly learning_20160504
Vic weekly learning_20160504Vic weekly learning_20160504
Vic weekly learning_20160504
 
Reflection &amp; activator
Reflection &amp; activatorReflection &amp; activator
Reflection &amp; activator
 
Peggy markdown
Peggy markdownPeggy markdown
Peggy markdown
 
Node child process
Node child processNode child process
Node child process
 
20160415ken.lee
20160415ken.lee20160415ken.lee
20160415ken.lee
 
Peggy elasticsearch應用
Peggy elasticsearch應用Peggy elasticsearch應用
Peggy elasticsearch應用
 
Expression tree
Expression treeExpression tree
Expression tree
 
Vic weekly learning_20160325
Vic weekly learning_20160325Vic weekly learning_20160325
Vic weekly learning_20160325
 
D3js learning tips
D3js learning tipsD3js learning tips
D3js learning tips
 
git command
git commandgit command
git command
 

Kürzlich hochgeladen

SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGSujit Pal
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 

Kürzlich hochgeladen (20)

SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAG
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 

Jar signing

  • 2. Java Security Manager 為何有 Secuirty Manager 機制 ?  Browser 把 class(jar) download 下來後,再啟動 java 去執行 download 下來的程式碼來執行是很危險的事。
  • 3. Java Security Manager Java Applet 在執行時有兩種模式  有啟動 Secuirty Manager  沒有啟動 Secuirty Manager
  • 4. Java Security Manager Jar Signing  Jar 檔被 sign 過,就會 Secuirty Manager 告知是否執行該 jar 檔。  Jar 檔若沒被 sign 過,就會被 Secuirty Manager 警告。 目的: Jar 檔 被 sign 過表示確定是個有名有姓的人產生的 Jar 檔,而且做出來後沒有被別人篡改過。
  • 5. Jar signing 如何對 Jar (Applet) 檔進行 signing ?  OpenSSL : 是套開放原始碼的SSL套件  Keytool : Install JRE  Jarsigner : Install JDK
  • 6. Java keytool Keytool is the key (key) and certificates (certificates) in the presence of a file called keystore  keystore  Key entity  Trusted certificate entries
  • 7. Java keytool Keytool Command  -keystore The file named .keystore in the user's home directory  -alias Create alias. Defalut : "mykey"  -genkey Creating or Adding Data to the Keystore  -keyalg key algorithm name. Defalut : "DSA"  -keysize key bit size. Defalut : 1024  -certreq Generate the Certificate Signing Request (CSR)  -import Imports a certificate or a certificate chain  -list Lists entries in a keystore  -v verbose output
  • 8. Jar signing - Step1 Creating a Sample CA Certificate  openssl req -config c:opensslbinopenssl.cnf -new -x509 -keyout ca-key.pem -out ca-certificate.pem -days 365 Using properties from c:opensslbinopenssl.cnf Loading ’screen’ into random state: done Generating a 1024 bit RSA private key .................++++++ .....................++++++ writing new private key to ’ca-key.pem.txt’ Enter PEM pass phrase: Verifying password: Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ’.’, the field will be left blank. ----- Country Name (2 letter code) []:US State or Province Name (full name) []:California Locality Name (eg, city) []:Monrovia Organization Name (eg, company) []:Sun Organizational Unit Name (eg, section) []:Development Common Name (eg, your websites domain name) [] :development.sun.com Email Address []:development@sun.com
  • 9. Jar signing - Step2 Create java keystore  keytool –keystore clientkeystore –genkey –alias client Enter keystore password: What is your first and last name? [Unknown]: Jason What is the name of your organizational unit? [Unknown]: Jason What is the name of your organization? [Unknown]: Jason What is the name of your City or Locality? [Unknown]: Jason What is the name of your State or Province? [Unknown]: Jason What is the two-letter country code for this unit? [Unknown]: US Is <CN=development.sun.com, OU=Development, O=Sun, L=Monrovia, ST=California, C=US> correct? [no]: yes Enter key password for <client> (RETURN if same as keystore password):
  • 10. Jar signing Keystore verbose output  keytool -list -v -keystore clientkeystore Keystore type: JKS Keystore provider: SUN Your keystore contains 1 entry Alias name: client Creation date: 2014/3/7 Entry type: PrivateKeyEntry Certificate chain length: 1 Certificate[1]: Owner: CN=Jason, OU=Jason, O=Jason, L=Jason, ST=Jason, C=US Issuer: CN=Jason, OU=Jason, O=Jason, L=Jason, ST=Jason, C=US Serial number: 3277605 Valid from: Fri Mar 07 02:21:08 CST 2014 until: Thu Jun 05 02:21:08 CST 2014
  • 11. Jar signing - Step3 Generate the Certificate Signing Request  keytool –keystore clientkeystore –certreq –alias client –keyalg rsa –file client.csr -----BEGIN NEW CERTIFICATE REQUEST----- MIICkjCCAlACAQAwXTELMAkGA1UEBhMCVVMxDjAMBgNVBAgTBUphc29uMQ4wDAYDVQQHEwVKYXNv bjEOMAwGA1UEChMFSmFzb24xDjAMBgNVBAsTBUphc29uMQ4wDAYDVQQDEwVKYXNvbjCCAbgwggEs BgcqhkjOOAQBMIIBHwKBgQD9f1OBHXUSKVLfSpwu7OTn9hG3UjzvRADDHj+AtlEmaUVdQCJR+1k9 jVj6v8X1ujD2y5tVbNeBO4AdNG/yZmC3a5lQpaSfn+gEexAiwk+7qdf+t8Yb+DtX58aophUPBPuD 9tPFHsMCNVQTWhaRMvZ1864rYdcq7/IiAxmd0UgBxwIVAJdgUI8VIwvMspK5gqLrhAvwWBz1AoGB APfhoIXWmz3ey7yrXDa4V7l5lK+7+jrqgvlXTAs9B4JnUVlXjrrUWU/mcQcQgYC0SRZxI+hMKBYT t88JMozIpuE8FnqLVHyNKOCjrh4rs6Z1kW6jfwv6ITVi8ftiegEkO8yk8b6oUZCJqIPf4VrlnwaS i2ZegHtVJWQBTDv+z0kqA4GFAAKBgQDUBuLc31+1uV7iu+WyFy6kmDsTwawhqhC18g2wu90oTmEo S7zDqL1WgeK55DKcDLxv1xGZuD1StwngUSjwBMsLFWPYi8aZ3AeUWVrA142iULDeSox7AtaI1Q2N 2m3LmmNfJxNt7clRhovxruIBwVsW+iSfk2+BsdKHIEYLrXIiGKAwMC4GCSqGSIb3DQEJDjEhMB8w HQYDVR0OBBYEFKvw3eE6Hw5fMgo70jvKcxRo4AHaMAsGByqGSM44BAMFAAMvADAsAhR2gLVksdXf YoE4WLBFm5ydJdtvcwIUaN5L0iUgRXBIPxDGjwHDEHDB0C4= -----END NEW CERTIFICATE REQUEST-----
  • 12. Jar signing - Step4 Generate a signed certificate for the associated Certificate Signing Request.  openssl x509 -req -CA ca-certificate.pem -CAkey ca-key.pem.txt -in client.csr -out client.cer -days 365 -CAcreateserial
  • 13. Jar signing - Step5 Use the keytool to import the CA certificate into the client keystore  keytool -import -keystore clientkeystore -file ca-certificate.pem -alias theCARoot
  • 14. Jar signing Keystore verbose output Alias name: thecaroot Creation date: 2014/3/7 Entry type: trustedCertEntry Owner: EMAILADDRESS=development@sum.com, CN=development.sum.com, OU=Development, O=Sun, L=Monrovia, ST=California, C=US Issuer: EMAILADDRESS=development@sum.com, CN=development.sum.com, OU=Development, O=Sun, L=Monrovia, ST=California, C=US Serial number: cd1836b5bb6f8295 Valid from: Thu Feb 20 18:39:57 CST 2014 until: Fri Feb 20 18:39:57 CST 2015
  • 15. Jar signing - Step6 Use the keytool to import the signed certificate for the associated client alias in the keystore.  keytool –import –keystore clientkeystore –file client.cer –alias client
  • 16. Jar signing Keystore verbose output Keystore type: JKS Keystore provider: SUN Your keystore contains 2 entries Alias name: client Creation date: 2014/3/7 Entry type: PrivateKeyEntry Certificate chain length: 2 Certificate[1]: Owner: CN=Jason, OU=Jason, O=Jason, L=Jason, ST=Jason, C=US Issuer: EMAILADDRESS=development@sum.com, CN=development.sum.com, OU=Development, O=Sun, L=Monrovia, ST=California, C=US Serial number: 86848dcdcc6a2971 Valid from: Fri Mar 07 02:36:08 CST 2014 until: Sat Mar 07 02:36:08 CST 2015 Certificate[2]: Owner: EMAILADDRESS=development@sum.com, CN=development.sum.com, OU=Development, O=Sun, L=Monrovia, ST=California, C=US Issuer: EMAILADDRESS=development@sum.com, CN=development.sum.com, OU=Development , O=Sun, L=Monrovia, ST=California, C=US Serial number: cd1836b5bb6f8295
  • 17. Jar signing - Step7 Generates signatures for Java ARchive (JAR) files  jarsigner -keystore clientkeystore SignedApplet.jar client
  • 18. Jar signing Verifying a Signed JAR File  jarsigner -verify -verbose SignedApplet.jar s 169 Fri Mar 07 13:59:24 CST 2014 META-INF/MANIFEST.MF 320 Fri Mar 07 13:59:24 CST 2014 META-INF/CLIENT.SF 1997 Fri Mar 07 13:59:24 CST 2014 META-INF/CLIENT.DSA 0 Mon Feb 21 19:29:40 CST 2011 META-INF/ sm 2206 Mon Feb 21 19:29:36 CST 2011 SignedApplet.class s = signature was verified m = entry is listed in manifest k = at least one certificate was found in keystore i = at least one certificate was found in identity scope jar verified.
  • 19. Jar signing - Step8 Go to「Java Control Panel」→「Security Tab 」→ 「Manage Certificates」 Import ca-certificate.pem file
  • 21. Reference Java SE Decumentation http://docs.oracle.com/javase/7/docs/technotes/tools/solaris/keytool.html Configuring Java CAPS for SSL Support http://docs.oracle.com/cd/E19509-01/820-3503/cnfg_ssl-ldap-https_t/index.html

Hinweis der Redaktion

  1. http://polinwei.blogspot.tw/2013/02/java-keytoolmicrosoft-active-directory.htmlhttp://cooking-java.blogspot.tw/2010/01/java-keytool.htmlhttp://fecbob.pixnet.net/blog/post/36050717-%5Bandroid%5D-keytool%E5%B7%A5%E5%85%B7%E4%BD%BF%E7%94%A8%E8%A9%B3%E8%A7%A3
  2. http://www.openssl.org/docs/apps/x509.html
  3. X.509 的目的為,證實這個已簽發憑證,確實為憑證上宣稱的那個人所發行的憑證。
  4. http://www.frogjumpjump.com/2011/09/ssl-x509ssl.htmlhttp://www.imacat.idv.tw/tech/sslcerts.html.zh-tw#sslx509